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(54) Digital signing method 

(57) According to the invention, techniques for 
authenticating that a digitally signed document is genu- 
ine. Specific embodiments according to the present 
invention can determine whether a digital signature was 
generated by a digital signature generator, or if the dig- 
ital signature was generated by a third party posing as 
the digital signature generator. Specific embodiments 
can provide independent verification of digital signer 
identity based upon prior signed messages, time/date 
stamps, and the like. Techniques according to the 
present invention can be embodied in methods, appara- 
tus, computer software and systems. 
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Description 

CROSS-REFERENCES TO RELATED APPLICATIONS 

[0001] This application claims priority from Japa- 
nese Patent Application Reference No. P1 1-301 21 6, 
filed October 22, 1999. 

[0002] Further, this application claims priority from 
Japanese Patent Application Reference No. P2000- 
081712, filed March 17, 2000. 

BACKGROUND OF THE INVENTION 

[0003] The present invention relates generally to 
digital signature techniques, and specifically to tech- 
niques for authenticating a digitally signed document. 
[0004] Digital signature techniques add the function 
of the conventional seal to a digitized message such as 
an electronic document, and are attracting attention 
since the techniques make it possible to develop 
advanced applications of networks as seen in electronic 
commerce. 

[0005] In conventional digital signature techniques, 
a digital signature generator applies a secret key that it 
secretly holds to a message M to be signed or to its 
hash value, which is a characteristic value as well as a 
message digest, to generate a digital signature A for the 
message M. Then, the message M is made public with 
the digital signature A attached to it. A digital signature 
verifier applies a public key paired with the above secret 
key to the digital signature A attached to the message 
M, and compares the result against the message M or 
its hash value. If they do not coincide, the message M 
may have been altered one way or another after the dig- 
ital signature A was generated. Only when they coin- 
cide, therefore, can the verifier authenticate that the 
digital signature A was generated for the present mes- 
sage M. 

[0006] However, such conventional digital signature 
techniques are often based upon an assumption that 
each digital signature generator maintains its own 
v secret key in complete security. That is, it is assumed 
that the only person who can generate a digital signa- 
ture which can be verified by use of a specific public key 
is a digital signature generator who lawfully holds a 
secret key paired with the public key. 
[0007] What is really needed are techniques for 
determining whether a digital signature was generated 
by a digital signature generator, or if the digital signature 
was generated by a third party posing as the digital sig- 
nature generator. 

SUMMARY OF THE INVENTION 



[0008] According to the invention, techniques for 
authenticating that a digitally signed document is genu- 
ine are provided. Specific embodiments according to 
the present invention can determine whether a digital 



signature was generated by a digital signature genera- 
tor, or if the digital signature was generated by a third 
party posing as the digital signature generator. Specific 
embodiments can provide independent verification 
5 based upon prior signed messages, time/date stamps, 
and the like. Techniques according to the present inven- 
tion can be embodied in methods, apparatus, computer 
software and systems. 

[0009] Accordingly, in a first aspect of the present 
w invention, on the digital signature generator side, log 
data of a digital-signature-attached message is regis- 
tered with a log list before the digital-signature-attached 
message is distributed. The digital-signature-attached 
message includes a generated digital signature and a 
15 message. Here, the log data may be the digital-signa- 
ture-attached message itself, or it may be another dig- 
ital-signature-attached message created by replacing 
the message included in the original digital-signature- 
attached message with its hash value. 
20 [0010] As used herein, the term "hash value" refers 
to a value computed using a function called a "hash 
function", which produces a fixed-length value from a 
variable-length input value. To ensure security, it is 
desirable to employ such a function with which it is diffi- 
25 cult to find two input values that correspond to the same 
output value as well as to find an input value that corre- 
sponds to a given output value. In specific embodi- 
ments, the algorithm of a hash function to be used is 
publicly available across the entire system. 
30 [001 1] This makes it possible for a digital signature 
verifier to verify whether a digital-signature-attached 
message to be verified is distributed by a digital signa- 
ture generator, by obtaining a log list from the digital sig- 
nature generator and checking whether log data of the 
35 digital-signature-attached message to be verified is reg- 
istered with the log list. 

[001 2] Further, according to a second aspect of the 
present invention, a digital signature generator sends a 
digital signature for a message that the generator itself 
40 generated, to a time stamping authority, which Is a reli- 
able third party, and asks the station to generate a sig- 
nature of the time stamping authority, the signature is 
called the timestamp, and in a specific embodiment, can 
be made using the digital signature and time data with a 
45 secret key that the time stamping authority secretly 
holds. The digital signature generator, then, distributes 
the above message with this timestamp attached 
thereto. 

[0013] Accordingly, a digital signature verifier can 
so derive the time data and the digital signature from the 
timestamp attached to the message by use of a public 
key paired with the secret key held by the time stamping 
authority, and verify whether the validity of the digital 
signature is assured by its digital signature generator by 
55 checking whether date and time indicated by this time 
data exceeds the date and time given by the digital sig- 
nature generator beforehand. 

[0014] As used here, the term "IC card" refers to a 
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card formed of a flexible material, for example, body that 
comprises a chip, or module, embedded within it. IC 
cards are also referred to as "smart card," "chip card" or 
"memory card," for various types, 

[0015] Numerous benefits are achieved by way of s 
the present invention over conventional techniques. 
Specific embodiments according to the present inven- 
tion can determine whether a digital signature was gen- 
erated by a digital signature generator, or if the digital 
signature was generated by a third party posing as the 10 
digital signature generator. Further, some specific 
embodiments can provide independent verification of 
digital signer identity based upon prior signed mes- 
sages, time/date stamps, and the like. 
[0016] These and other benefits are described is 
throughout the present specification. A further under- 
standing of the nature and advantages of the invention 
herein may be realized by reference to the remaining 
portions of the specification and the attached drawings. 

20 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0017] 

Fig. 1 illustrates a schematic diagram of a repre- 25 
sentative example system in a first embodiment of 
the present invention. 

Fig. 2 illustrates a schematic diagram of a repre- 
sentative embodiment of a digital signer side appa- 
ratus 1, a purchaser side apparatus 3, a digital 30 
signature verifier side apparatus 5, a mediator side 
apparatus 7, and a timestamp issuing apparatus 8 
shown in Fig. 1 . 

Fig. 3 illustrates a schematic diagram of a repre- 
sentative example embodiment of an IC card 22 35 
shown in Fig. 2. 

Rg. 4 illustrates a flowchart of representative exam- 
ple processes in which a purchaser side apparatus 
3 acquires a digital-signature-attached message 
from a digital signer side apparatus 1 in the first 40 
embodiment of the present invention. 
Fig. 5 illustrates a flowchart of representative exam- 
ple processes in which a purchaser side apparatus 
3 asks a digital signature verifier side apparatus 5 
to verify a digital-signature-attached message as 
acquired from a digital signer side apparatus 1 in 
the first embodiment of the present invention. 
Fig. 6 illustrates a flowchart of representative exam- 
ple processes in which a digital signer side appara- 
tus 1 asks a digital signature verifier side apparatus so 
5 to verify a digital-signature-attached message 
that the digital signer side apparatus 1 itself has 
generated in the first embodiment of the present 
invention. 

Rg. 7 illustrates a diagram of representative exam- ss 
pie of data stored in a signature log table 2234 in 
the second embodiment of the present invention. 
Fig. 8 illustrates a flowchart of representative exam- 



ple processes in which a purchaser side apparatus 
3 asks a digital signature verifier side apparatus 5 
to verify a digital-signature-attached message 
acquired from a digital signer side apparatus 1 in 
the second embodiment of the present invention. 
Rg. 9 illustrates a flowchart of representative exam- 
ple processes in which a digital signer side appara- 
tus 1 asks a digital signature verifier side apparatus 
5 to verify a digital-signature-attached message 
that the digital signer side apparatus 1 itself has 
generated in the second embodiment of the present 
invention. 

Rg. 10 illustrates a flowchart of representative 
example processes in which a purchaser side 
apparatus 3 acquires a digital-signature-attached 
message from a digital signer side apparatus 1 in 
the third embodiment of the present invention. 
Rg. 1 1 illustrates a flowchart representative exam- 
ple processes in which a purchaser side apparatus 
3 asks a digital signature verifier side apparatus 5 
to verify a digital-signature-attached message 
acquired from a digital signer side apparatus 1 in 
the third embodiment of the present invention. 
Rg. 12 illustrates a diagram of a representative 
data stored in a signature log table 2234 in a modi- 
fication of the third embodiment of the present 
invention. 

DESCRIPTION OF THE SPECIFIC EMBODIMENTS 

[0018] The present invention provides techniques 
for authenticating that a digitally signed document is 
genuine. Specific embodiments according to the 
present invention can determine whether a digital signa- 
ture was generated by a digital signature generator, or if 
the digital signature was generated by a third party pos- 
ing as the digital signature generator. Further, inde- 
pendent verification of digital signer identity based upon 
prior signed messages, time/date stamps, and the like, 
can be performed. Techniques according to the present 
invention can be embodied in methods, apparatus, 
computer software and systems. 
[0019] Conventional digital signature techniques 
are described, for example, in the following references, 
Alfred J. Menezes, Paul C. van Oorshot, and Scott A. 
Vanstone, "Handbook of Applied Cryptography", CRC 
Press, Inc. 1997, Bruce Schneier, "Applied Cryptogra- 
phy Second Edition", John Wiley & Sons, Inc. 1996, 
International Application Number PCT/US91/05386, 
and "Standard Specifications for Public Key Cryptogra- 
phy (Draft Version 11)", IEEE P1363, IEEE, July 1999, 
the entire contents of which is incorporated herein by 
reference for all purposes. While important contribu- 
tions to the field in their own right, opportunities for fur- 
ther improvement in security not heretofore known in 
the art can be achieved by specific embodiments 
according to the present invention. 
[0020] Conventional digital signature techniques 



3 



EP 1 094 424 A2 



are often based upon an assumption that each digital 
signature generator secretly holds its own secret key. 
That is, it is assumed that the only person who can gen- 
erate a digital signature which can be verified by use of 
a specific public key is a digital signature generator who 
holds a secret key paired with the public key. If a third 
party illegally obtains a secret key of a digital signature 
generator due to an error in key management on the 
digital signature generator side or some other reason, 
and generates a digital signature posing as the digital 
signature generator, such an illegality can not be 
detected by the above digital signature technique. 
[0021] One technique applies a second secret key 
held by a digital signature generator to both a message 
and the digital signature for the message to newly gen- 
erate a digital signature for the message. However, this 
technique is intended to ensure the security of the pre- 
vious digital signatures generated by a digital signature 
generator when it has become highly possible for a third 
party to obtain a secret key of the digital signature gen- 
erator as a result of the recent rapid increase in the 
computational capability of computers or improved 
algorithm for deriving the secret key from a public key. 
For a more detailed description of such techniques, fur- 
ther reference may be had to an International Applica- 
tion Number PCT/US93/1 1 1 7. 

[0022] One illegality prevention technique is 
designed to prevent a digital signature generator from 
generating a new digital signature by somehow altering 
a message that the generator generated before, and 
replacing the original message and the original digital 
signature with the new ones. Specifically, a digital signa- 
ture generator applies a secret key that the generator 
secretly holds, to a message M n to be signed or its hash 
value, the hash value of the message used immediately 
before, and time data to generate a digital signature A n 
for the message M n . This assures that a digital signa- 
ture A n+1 generated immediately after the digital signa- 
ture A„ reflects the message M n . With this arrangement, 
if a digital signature generator adds an alteration to the 
message M n that the generator has generated so as to 
generate a new digital signature, and replaces the orig- 
inal message M n and the original digital signature A n 
with the new ones, such an illegal conduct will cause the 
new message and signature to fail to match the digital 
signature A^. For a more detailed description of such 
techniques, further reference may be had to a publica- 
tion by Bruce Schneier entitled, "Applied Cryptography 
Second Edition", John Wiley & Sons, Inc. 1996, and an 
International Application Number PCT/US9 1/05386, for 
example. 

[0023] Fig. 1 is a schematic diagram of a represent- 
ative example system in a first embodiment according to 
the present invention. 

[0024] As shown in the figure, this system com- 
prises digital signer side apparatuses 1, through 1 n 
(hereinafter referred to as digital signer side appara- 
tuses 1) for creating digital-signature-attached mes- 



sages, purchaser side apparatuses 3j through 3 n 
(hereinafter referred to as purchaser side apparatuses 
3) for holding digital-signature-attached messages cre- 
ated by the digital signer side apparatuses 1, a digital 
5 signature verifier side apparatus 5 for verifying digital- 
signature-attached messages created by the digital 
signer side apparatuses 1 , and a mediator side appara- 
tus 7 for publishing lists of messages created by the dig- 
ital signer side apparatuses 1, and acquiring digital- 
10 signature-attached messages from the digital signer 
side apparatuses 1 on behalf of the purchaser side * 
apparatuses 3. 

[0025] it should be noted that in descriptions of the 
embodiments of the present invention, the term "mes- 
15 sage" includes, in addition to digital data such as elec- 
tronic documents, digitized multimedia data such as 
image data and audio data, and digital data having the 
same value as that of securities. Furthermore, when 
used in descriptions of the embodiments of the present 
20 invention, the term "purchase" refers to an action to 
acquire, one way or another, a digital-signature- 
attached message created by a digital signer, whether 
on free of charge or on a charge basis. 
[0026] Fig. 2 is a schematic diagram of a represent- 
ors ative example embodiment of the digital signer side 
apparatuses 1, the purchaser side apparatuses 3, the 
digital signature verifier side apparatus 5, the mediator 
side apparatus 7, and the timestamp issuing apparatus 
8. 

30 [0027] Each apparatus can be constructed by con- 
necting an IC card 22 which is a storage medium having 
a computational function, to a computer 21 which has a 
general configuration comprising a CPU 11, a RAM 12 
functioning as a work area for the CPU 11 , an external 
35 storage device 1 3 such as a hard disk device, a reading 
device 14 for reading data from a portable storage 
medium 15 such as a CD-ROM and an FD, an input 
device 16 such as a keyboard or a mouse, a display 
device 17 such as a monitor, a communication device 
40 1 8 for communicating with other apparatuses through a 
network, an IC card connecting device 19, and an inter- 
face 20 used for transmitting and receiving data 
between the above apparatuses. 
' [0028] The external storage device 13 in each dig- 
45 ital signer side apparatus 1 stores a signature-attached 
message creating program 131 for causing the IC card 
22 to generate a digital signature for a message and 
attaching the generated digital signature to the mes- 
sage before distributing the message as a digital-signa- 
50 ture-attached message, and a verification requesting 
program 132 for causing the digital signature verifier 
side apparatus 5 to verify a digital-signature-attached 
message created by the digital signer side apparatus 1 
and providing the digital signature verifier side appara- 
55 tus 5 with information necessary for the digital signature 
verifier side apparatus 5 to verify the digital-signature- 
attached message, according to the instructions of the 
digital signature verifier side apparatus 5. These pro- 
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grams are loaded into the RAM 12 so that the CPU 1 1 
executes them as processes such as a signature- 
attached message creation processing section 1 1 1 and 
a verification request processing section 112. 
[0029] The external storage device 13 in each pur- 5 
chaser side apparatus 3 stores a signature-attached 
message acquiring program 331 for acquiring a digital- 
signature-attached message from a digital signer side 
apparatusH, and a verification requesting program 332 
for causing the digital signature verifier side apparatus 5 w 
to verify the acquired digital-signature-attached mes- 
sage. These programs are loaded into the RAM 12 so 
that the CPU 1 1 executes them as processes such as a 
signature-attached message acquisition processing 
section 31 1 and a verification request processing sec- is 
tion312. 

[0030] The external storage device 13 in the digital 
signature verifier side apparatus 5 stores a signature 
verifying program 531 for verifying a digital-signature- 
attached message according to the instructions of a dig- 20 
ital signer side apparatus 1 or a purchaser side appara- 
tus. This program is loaded into the RAM 12 so that the 
CPU 1 1 executes it as a process called a signature ver- 
ification processing section 51 1 . 

[0031] The mediator side apparatus 7 acquires a 25 
digital-signature-attached message from a digital signer 
side apparatus 1 on behalf of a purchaser side appara- 
tus 3. Basically, the mediator side apparatus 7 has the 
same configuration as that shown in Fig. 2. The IC card 
connecting device can be omitted from each of the pur- 30 
chaser side apparatuses 3, the digital signature verifier 
side apparatus 5, and the mediator side apparatus 7. 
[0032] The above-described programs may be read 
from the portable storage medium 15 such as a CD- 
ROM or an FD by the reading device 1 4 and installed in 35 
the external storage device 13, or they may be down- 
loaded from the network into the external storage 
device 13 through the communication device 18. The 
programs may be embodied in a carrier wave, which is 
a computer readable medium for transmitting a compu- 40 
ter program. 

[0033] Fig. 3 is a schematic diagram of a represent- 
ative example embodiment of the IC card 22 shown in 
Fig. 2. 

[0034] As shown in the figure, the IC card 22 com- 45 
prises a CPU 221 , a RAM 222 functioning as a work 
area for the CPU 221 , an EEPROM 223 for storing var- 
ious programs and data, and an I/O 224 for communi- 
cating with the computer 21 through the IC card 
connecting device 1 9, When used in descriptions of this so 
invention, the term "EEPROM" refers to a read-only 
memory whose stored data can be electronically rewrit- 
ten. 

[0035] The EEPROM 223 stores a signature gener- 
ating program 2231 for generating a digital signature for 55 
a message according to the instructions of the signa- 
ture-attached message creation processing section 
1 1 1 , a secret key 2232 used for generating a digital sig- 



nature, a public key certificate 2233 containing a public 
key paired with the secret key 2232, and a signature log 
table 2234 for recording the history of generation of dig- 
ital signatures. The signature generating program 2231 
and the secret key 2232 are set when the IC card 22 is 
issued. They are set so that they cannot be read from 
outside the IC card 22. Data and programs, such as the 
signature generating program 2231, which are not 
rewritten once they have been written at the time of 
issuing the IC card 22, may be stored in a non-rewrita- 
ble ROM instead of the EEPROM 223. The public key 
certificate 2233 is set when the IC card 22 is issued. It 
is set so that it can be read from outside the IC card 22. 
The signature log table 2234, on the other hand, is set 
so that no data is recorded in the table at the time of 
issuing the IC card 22, and each time the IC card 22 
generates a digital signature, the table adds a signature 
log 2235 comprised of the generated digital signature, a 
hash value of a message to be signed, and the name of 
the purchaser (the address of a purchaser side appara- 
tus 3 or the like) of the message to be signed. It is 
assumed that the signature log table 2234 is set so that 
its data can be read from outside the IC card 22, but 
cannot be rewritten or deleted from outside IC card 22. 
The example in Fig. 3 shows the state of the IC card 22 
after the digital signature generating operation has been 
performed N times on the IC card 22, indicating N signa- 
ture logs 2235 recorded in the signature log table 2234. 
[0036] The IC card issuer may perform the issuing 
operation of the IC card 22, that is, an operation in 
which the signature generating program 2231, the 
secret key 2232, and the public key certificate 2233 are 
stored and set in the EEPROM 223. Or the IC card 
issuer may issue the IC card 22 in a state that the EEP- 
ROM 223 stores only the signature generating program 
2231 , and a digital signer that owns the IC card 22 may 
store and set the secret key 2232 and the public key 
certificate 2233 in the EEPROM 223. 
[0037] When the digital signer stores and sets the 
secret key 2232 in the EEPROM 223, it is desirable for 
the digital signer to execute a secret-key generating pro- 
gram that is stored in the IC card 22 by the IC card 
issuer beforehand so that the digital signer itself does 
not know the value of the secret key 2232. 
[0038] The CPU 221 creates a signature generation 
processing section 221 1 as a process by loading and 
executing the signature generating program 2231 in the 
RAM 222. 

[0039] Next, referring to Fig. 4, description will be 
made of representative example processes in specific 
embodiments in which a purchaser side apparatus 3 
acquires a digital-signature-attached message from a 
digital signer side apparatus 1 . 
[0040] In a digital signer side apparatus 1 , when the 
signature-attached message creation processing sec- 
tion 1 1 1 receives a request for transmission of a mes- 
sage from a purchaser side apparatus 3, the section 
reads the requested message from, for example, the 
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external storage device 13 In which various messages 
are stored, and applies a hash function to the message 
to acquire its hash value. Then, the section asks the sig- 
nature generation processing section 221 1 to generate 
a signature by sending to it the hash value of the mes- 5 
sage and the address of the purchaser side apparatus 3 
that has sent the transmission request (S6101). The 
signature generation processing section 2211 applies 
the secret key 2232 to the sent hash value of the mes- 
sage to generate a digital signature for the message 
(S6102). The signature generation processing section 
221 1 registers a signature log 2235 which is comprised 
of the hash value of the message, the digital signature, 
and the address of the purchaser side apparatus 3 that 
requested the transmission, with the signature log table 1 
2234 (S6103), and sends the digital signature and the 
public key certificate 2233 to the signature-attached 
message creation processing section 111. The signa- 
ture log table 2234 is preferably indexed beforehand so 
as to sequentially manage data in order to clarify the < t 
chronological relationships between the signature logs. 
The signature-attached message creation processing 
section 111 creates a digital-signature-attached mes- 
sage by attaching the above digital signature to the 
message whose transmission has been requested, and , 
sends the digital-sign atu re-attached message with the 
public key certificate 2233 attached thereto, to the pur- 
chaser side apparatus 3 that has requested the trans- 
mission (S6104). 

[0041] In a purchaser side apparatus 3, when the 
purchaser has requested acquisition of a message 
through an input device 36, the signature-attached mes- 
sage acquisition processing section 311 sends a 
request for transmission of the message to a digital 
signer side apparatus 1 that holds the message 
(S6001), and waits for a digital-signature-attached mes- 
sage to be transmitted from the digital signer side appa- 
ratus 1(S6002). The signature-attached message 
acquisition processing section 311 verifies the digital 
signature included in the received digital-signature- 
attached message. Specifically, the section obtains two 
hash values: one found by processing the digital signa- 
ture with the public key of the public key certificate 2233 
attached to the digital-signature-attached message, and 
the other computed from the message included in the 
digital-signature-attached message. Then, the two hash 
values are compared (S6003). If they coincide (the 
result is OK at step S6004), the signature-attached 
message acquisition processing section 31 1 authenti- 
cates that the digital signature has been generated for 
the message included in the digital-signature-attached 
message, and accepts the digital-signature -attached 
message and stores it in an external storage device 33 
or the like after attaching the address of the digital 
signer side apparatus 1 from which the message was 
obtained, to the message(S6005). If they do not coin- 
cide (the result is NG at step S6004), the signature- 
attached message acquisition processing section 311 



does not authenticate the digital-signature-attached 
message and discards it (S6006). 
[0042] Before actually accepting a digital-signature- 
attached message, the purchaser side apparatus may 
ask the digital signature verifier side apparatus 5 to ver- 
ify the signature as necessary to check the validity of 
the signature as described later, depending on, for 
example, the importance of the digital-signature- 
attached message. 
o [0043] When the mediator side apparatus 7 acts as 
a purchaser side apparatus 3, the mediator side appa- 
ratus 7 performs the flow of steps for the purchaser side 
apparatus 3 as shown in Fig. 4, and sends a signature- 
attached message accepted at step S6005 to the pur- 
5 chaser side apparatus 3. This can reduce the burden on 
the purchaser side apparatus 3 since the purchaser 
side apparatus 3 does not need to perform the verifying 
process indicated at step S6003. it should be noted that 
the mediator side apparatus 7 preferably acquires infor- 
>o mation about the messages owned by each digital 
signer side apparatus 1 beforehand, and makes availa- 
ble to each purchaser side apparatus 3 a list of the mes- 
sages owned by each digital signer side apparatus 1 by 
use of the World Wide Web or other means. 
25 [0044] Each digital signer side apparatus 1 can cre- 
ate a digital-signature-attached message at the request 
of a digital signer, whether or not a purchaser side appa- 
ratus 3 asks it. In this case, the flow of steps for the pur- 
chaser side apparatus 3 as shown in Fig. 4 is not 
30 performed. However, using the purchaser side appara- 
tus 3, a purchaser of a digital-signature-attached mes- 
sage can verify the signature by causing the digital 
signature verifier side apparatus 5 to verify the signa- 
ture as described later. 
35 [0045] The steps taken in the above case will be 
described using as an example digital data whose mes- 
sage has the same value as that of securities (hereinaf- 
ter such digital data is called an electronic bill). A digital 
signer who is also an issuer of an electronic bill creates 
40 and issues a signature-attached electronic bill by per- 
forming the flow of steps for the digital signer side appa- 
ratuses 1 as shown in Rg. 4 by use of a digital signer 
side apparatus 1. It should be noted that since the pur- 
chaser of the created signature-attached electronic bill 
45 cannot be specified at the time of issuing the electronic 
bill, the signature log 2235 registered with the signature 
log table 2234 does not include the address of the pur- 
chaser. 

[0046] The mediator side apparatus 7 acquires sig- 
50 nature-attached electronic bills issued by the digital 
signer side apparatuses 1, and makes them public 
using the World Wide Web or other means beforehand. 
Then, the mediator side apparatus 7 transmits a desired 
signature-attached electronic bill or sends it by postal 
55 mail at the request of a purchaser side apparatus 3. A 
person who wants to purchase an electronic bill can ask 
the digital signature verifier side apparatus 5 to verify 
the desired electronic bill beforehand by use of a pur- 
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chaser side apparatus 3, and take the actual purchase 
procedure only when the validity of the electronic bill 
has been confirmed. 

[0047] Next, referring to Rg. 5, description will be 
made of representative example processes in specific 
embodiments in which a purchaser side apparatus 3 
asks the digital signature verifier side apparatus 5 to 
verify a digital-signature-attached message acquired 
from a digital signer side apparatus 1 . 
[0048] In a purchaser side apparatus 3, when a pur- 
chaser has requested verification of a digital-signature- 
attached message owned by the purchaser side appa- 
ratus 3 itself through the input device 36, the verification 
request processing section 31 2 asks the digital signa- 
ture verifier side apparatus 5 to verify the digital-signa- 
ture-attached message by sending the digital-signature- 
attached message to the digital signature verifier side 
apparatus 5 after attaching the address of the digital 
signer side apparatus 1 from which the message was 
acquired, to the message (S7001). Then, the verifica- 
tion request processing section 312 waits for the verifi- 
cation results to be transmitted from the digital signature 
verifier side apparatus 5 (S7002), and displays the veri- 
fication results using, for example, a display device 37 
(S7003). 

[0049] In the digital signature verifier side appara- 
tus 5, when the signature verification processing section 
511 has received a request for verification of a digital- 
signature-attached message from a purchaser side 
apparatus 3, the section performs the first-stage verifi- 
cation of the digital-signature-attached message sent 
with the request, as at steps S6003 and S6004 (S7101 , 
S7102). 

[0050] If the result is OK at step S71 02, the signa- 
ture verification processing section 511 authenticates 
the digital-signature-attached message and proceeds to 
step S7103. If the result is NG at step S7102, the sec- 
tion does not authenticate the message and sends the 
verification results to the purchaser side apparatus 3 
that transmitted the verification request, and to the dig- 
ital signer side apparatus 1 specified by the address 
attached to the digital-signature-attached message 
(S7108). 

[0051] At step S7103, the signature verification 
processing section 511 asks the digital signer side 
apparatus 1 specified by the address attached to the 
digital-signature-attached message, to transmit all sig- 
nature logs 2235 (called a signature log list) recorded in 
the signature log table 2234 (S7103), and waits for the 
signature log list to be transmitted from the digital signer 
side apparatus 1 (S7104), and then performs the sec- 
ond-stage verification of the digital-signature-attached 
message. Specifically, the signature verification 
processing section 51 1 checks whether the acquired 
signature log list includes a signature log that includes 
the digital signature included in the digital-signature- 
attached message and a message hash value com- 
puted at step S71 01 (S71 05). 



[0052] If the acquired signature tog list includes the 
signature log (if the result is OK at step S71 06), the sig- 
nature verification processing section 51 1 authenticates 
that the digital-signature-attached message has been 

s validly generated by the digital signer side apparatus 1 
that provided the signature log list, and sends the 
results to the purchaser side apparatus 3 that transmit- 
ted the verification request, and to the digital signer side 
apparatus 1 specified by the address attached to the 

10 digital-signature-attached message (S7107). 

[0053] If the acquired signature log list does not 
include the signature log (if the result is NG at step 
S7106), this means that the digital-signature-attached 
message was not generated by the digital signer side 

15 apparatus 1 that provided the signature log list. Accord- 
ingly, the signature verification processing section 51 1 
determines that a third party obtained the secret key 
2232 one way or another and illegally generated the 
message posing as the digital signer, and sends the 

20 results to the purchaser side apparatus 3 that transmit- 
ted the verification request and to the digital signer side 
apparatus 1 specified by the address attached to the 
digital-signature-attached message (S7109). 
[0054] In each digital signer side apparatus 1, the 

25 verification request processing section 112 waits for a 
request for transmission of a signature log list or verifi- 
cation results to be sent (S7201). When the verification 
request processing section 112 has received a request 
for transmission of a signature log list, the section reads 

30 the signature logs 2235 registered with the signature log 
table 2234 in the EEPROM 223, and sends them to the 
digital signature verifier side apparatus 5 (S7202). 
When the verification request processing section 112 
has received verification results (S7203), the section 

35 displays the results using, for example, the display 
device 1 7 (S7204). Sending the verification results also 
to a digital signer side apparatus 1 as described above 
makes it possible to take such a measure as changing 
the secret key 2232 for generation of signatures when, 

40 for example, the verification results indicate that a third 
party somehow obtained the secret key 2232 and ille- 
gally generated a digital signature posing as a digital 
signer. 

[0055] It should be noted that in this invention, as a 
45 method of sending a history log list from a digital signer 
side apparatus 1 to the digital signature verifier side 
apparatus 5, the IC card 22 itself may be sent by, for 
example, postal mail, in addition to the above method in 
which the history log list is transmitted through the net- 
50 work. 

[0056] Next, referring to Fig. 6, description will be 
made of representative example processes in specific 
embodiments in which the digital signer side apparatus 
1 asks the digital signature verifier side apparatus 5 to 
55 verify a digital-signature-attached message generated 
by the digital signer side apparatus 1 itself. 
[0057] In a digital signer side apparatus 1, when a 
digital signer has entered the address of a purchaser 
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side apparatus 3 that will purchase a digital-signature- 
attached message, through the input device 16, and 
has requested verification of the digital-signature- 
attached message, the verification request processing 
section 112 asks the digital verifier side apparatus 5 to 
verify the message by sending the entered address of 
the purchaser side apparatus 3 (S8001). Then, the ver- 
ification request processing section 112 proceeds to 
step S8002 and performs processes at the flow of steps 
S7201 through S7204 shown in Fig. 5. 
[00581 In the digital signature verifier apparatus 5, 
when the signature verification processing section 51 1 
has received a request for verification of a digital-signa- 
ture-attached message from a digital signer side appa- 
ratus 1 , the section sends a request for transmission of 
the digital-signature-attached message to be verified 
and the address of the digital signer side apparatus 1 
that has sent the verification request, to the purchaser 
side apparatus 3 specified by the address sent with the 
verification request (S8101), and waits for the message 
to be transmitted (S8102). Then, the signature verifica- 
tion processing section 511 proceeds to step S8103 
and performs processes at the flow of steps S7101 
through S71 09 shown in Fig. 5. 

[0059] In each purchaser side apparatus 3, the ver- 
ification request processing section 312 waits for a 
request for transmission of a digital-signature-attached 
message to be verified, from the digital signature verifier 
side apparatus 5 (S8201). Then, from the external stor- 
age device 33 or the like, the section reads the digital- 
signature-attached message acquired from the digital 
signer side apparatus 1 specified by the address sent 
with the request, and sends the message to the digital 
signature verifier side apparatus 5 (S8202). After that, 
the verification request processing section 312 pro- 
ceeds to step S8203 and performs processes at the 
flow of steps S7002 through S7003 shown in Fig. 5. 
[00601 According to this embodiment, each digital 
signer side apparatus 1 distributes a digital-signature- 
attached message that includes a digital signature and 
a message generated by the digital signer side appara- 
tus 1 itself after registering a signature log 2235 that 
includes the digital signature and a hash value of the 
message, with the signature log table 2234. 
[0061] The digital signature verifier side apparatus 
5 acquires a log list made up of registered signature 
logs 2235 from a digital signer side apparatus 1 , and 
checks whether a signature log that includes a hash 
value of the message and the digital signature included 
in the digital-signature-attached message to be verified, 
is registered. Accordingly, the digital signature verifier 
side apparatus 5 can determine whether the digital-sig- 
nature-attached message to be verified has been gen- 
erated by the digital signer side apparatus 1, and is 
valid, or a third party has illegally generated the mes- 
sage posing as a digital signer after somehow obtaining 
the secret key 2232. 

[0062] In an alternative embodiment, a signature 



log table may be set in the external storage device 1 3 of 
the computer 21, in addition to the EEPROM 223. With 
this arrangement, when the number of signature logs 
registered with the signature log table in the EEPROM 
5 223 exceeds a predetermined value (this value may be 
set considering the capacity of the EEPROM 223) as a 
result of registering a newly generated signature log 
with the signature log table in EEPROM 223, the earli- 
est log registered with the signature log table in the 
10 EEPROM 223 may be transferred to the signature log 
table in the external storage device 13 before register- 
ing the above new signature log with the signature log 
table in the EEPROM 223. 

[0063] In another embodiment, a plurality of signa- 
75 ture logs registered with the signature log table in the 
EEPROM 223 may be registered with the signature log 
table in the external storage device 13 together at once. 
This registration of signature logs with the signature log 
table in the external storage device 13 may be per- 
20 formed when appropriate, according to the instructions 
of a signer, or the signature logs may be automatically 
registered each time the number of the signature logs 
reaches a predetermined value. 

[0064] In still another embodiment, a newly gener- 
25 ated signature log may be registered with both the sig- 
nature log table in the EEPROM 223 and the signature 
log table in the external storage device 1 3 of the compu- 
ter 21 , and when the number of the signature logs reg- 
istered with the signature log table in the EEPROM 223 
30 exceeds a predetermined value as a result of register- 
ing the above newly generated signature log with the 
signature log table in the EEPROM 223, the earliest sig- 
nature log registered with the signature log table in the 
EEPROM 223 may be deleted before registering the 
35 above newly generated signature log with the signature 
log table in the EEPROM 223. 

[0065] in such specific embodiments, it is possible 
to realize digital signer side apparatus 1 even when the 
capacity of the EEPROM 223 is small. 
40 [0066] In order to prevent a digital signer from alter- 
ing a signature log, it is preferred that the signature log 
table set in the external storage device 13 is set so that 
the table can be written only from the IC card 22, or a 
non-rewritable storage medium such as a CD-R is used. 
45 [0067] Further, instead of setting a signature log 
table in the EEPROM 223, a signature log management 
apparatus 9 may be newly added to the configuration 
shown Fig. 1 to manage the signature log table for each 
digital signer side apparatus 1. With this arrangement, 
so each digital signer side apparatus 1 may register a sig- 
nature log with the signature log table corresponding to 
each digital signer side apparatus 1 itself each time a 
digital signature is newly generated, or as is the case 
with registration with the signature log table in the exter- 
55 nal storage device 13, a plurality of signature logs may 
be registered together at once with a signature log table 
which is set in the signature log management apparatus 
9 and corresponds to each digital signer side apparatus 
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1. 

[0068] In this case, at step S71 03 of a flow shown in 
Fig. 5, the digital signature verifier side apparatus 5 
sends to the signature log management apparatus 9 a 
request for transmission of a signature log list, attaching s 
the address of the digital signer side apparatus 1 that 
created a digital-signature -attached message to be ver- 
ified, to the request. Furthermore, steps S7201 and 
S7202 of a flow shown in Fig. 5 are performed by the 
signature log management apparatus 9. Upon receiving w 
a request for transmission of a signature log list, the sig- 
nature log management apparatus 9 sends to the digital 
signature verifier side apparatus 5 the signature log list 
of the digital signer side apparatus 1 specified by the 
address attached to the request. This prevents a digital is 
signer from altering a signature log. 
[0069] It should be noted that the signature log 
management apparatus 9 may be created on the same 
computer as that on which the digital signature verifier 
side apparatus 5 resides, or the signature log manage- 20 
ment apparatus 9 may be created on both the same and 
a different computers so that signature logs may be ini- 
tially managed by the signature log management appa- 
ratus on the same computer and when the number of 
signature logs has reached a predetermined value, they 25 
may be registered together at once with the signature 
log management apparatus on the different computer. 
[0070] When any privacy and other problems do not 
arise, signature log data in the signature log manage- 
ment apparatus 9 may be made public to other appara- 30 
tuses connected through the network for a certain 
period of time or indefinitely after the signature is gener- 
ated. It should be noted, however, that the system is 
assumed to be set so that the logs cannot be rewritten 
or deleted. With this, for example, a purchaser can as 
make sure that the records of transactions related to the 
purchaser are reflected in logs of a signer. Furthermore, 
by managing signature logs so that they can be viewed 
from many other apparatuses, it becomes difficult for a 
signer to alter his or her own signature log data, result- 40 
ing in improved reliability of the entire system. An appa- 
ratus for thus making signature log data public may be 
provided separately from the signature log manage- 
ment apparatus. 

[0071] Specific information may be set to each IC 45 
card 22 so that by using this information, it can be guar- 
anteed that a registered signature log is produced 
surely for a signature generated by an iC card 22. For 
example, an IC card issuer secretly sets specific infor- 
mation to each IC card at the time of issuing the card, so 
concealing it even from the signer who owns it. Each 
time a digital signature is generated by the IC card, the 
specific information set to the IC card is used to gener- 
ate a MAC (Message Authentication Code) for the dig- 
ital signature by utilizing the information as a MAC- 55 
generation secret key, which is different from the secret 
key 2232 for generating a digital signature, and the MAC 
is registered with a signature log table, together with the 



signature log. A signature log list Including this MAC is 
transmitted in response to a request for transmission of 
a signature log list from a digital signature verifier. 
[0072] Adoption of the above method makes it diffi- 
cult to alter a signature log. This is because a digital sig- 
nature verifier can acquire specific information set to the 
IC card that generated the signature, from the IC card 
issuer beforehand or as necessary, and by checking the 
validity of the MAC using the acquired information, the 
verifier can detect alteration of the signature log. Fur- 
thermore, since information that even the signer does 
not know is used as a secret key, forging of a signature 
log by the signer itself also can be prevented. 
[0073] In addition to storing a MAC in a signature 
log table, the MAC may be output to a purchaser 
together with a digital-signature-attached message so 
that it can be used as means for reinforcing the pur- 
chaser's capability to check the validity of a signature 
attached to a purchased message. 
[0074] When there is provided the signature log 
management apparatus 9 in which a signature log table 
is set, it may be arranged such that the signature log 
management apparatus 9 also can acquire specific 
information set to an IC card that has generated a sig- 
nature, from the IC card issuer beforehand or as neces- 
sary, so as to check the validity of the MAC when 
registering the signature log with the signature log table 
set in the signature log management apparatus 9, and 
register only a valid signature log. In this case, when an 
attempt is made to register a signature log whose MAC 
is not valid, an alarm may be sent to the signer or the 
entire system so that from now on, the secret key 2232 
for signing and the signing system will not be used, 
regarding that it has become possible to forge a signa- 
ture due to disclosure of the secret key or some other 
reason. 

[0075] Instead of using specific information set to 
each IC card as a secret key for generating a MAC, the 
specific information can be used as a secret key for gen- 
erating another digital signature so as to guarantee that 
a signature has surely been generated by use of a spe- 
cific IC card 22, which also makes it difficult to forge a 
signature log as is the case with a MAC. The above 
method eliminates the need of acquiring specific infor- 
mation set to each IC card in order to verify that a signa- 
ture has been generated by use of an IC card 22, and, 
instead, requires only public-key information which cor- 
responds to the specific information and is available to 
anyone. Therefore, unlike the use of a MAC, it is easy to 
employ this method as a means for helping a purchaser 
confirm the validity of a purchased message. 
[0076] In the above method, from the viewpoint of 
avoiding the risk of forgery of digital signatures, which is 
increased by improved decryption algorithms, it is desir- 
able to use a digital signing system different from one in 
which a digital signature is sent to a purchaser by 
attaching it to a message, that is, as a signature- 
attached message. Since from the viewpoint of reduc- 
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ing the scale of its Implementation in the IC card 22, use 
of the same digital signing system is more advanta- 
geous, the signing system may be determined depend- 
ing on conditions. 

[0077] Since specific information set to each IC 
card is used as a secret key, dynamic update of the 
information, which means that the secret-key informa- 
tion is not fixed, offers the advantage of making it diffi- 
cult to analyze the secret key. In the above method, to 
verify the validity of a signature log using specific infor- 
mation set to each IC card, it is necessary to know how 
to update the specific information. For example, after 
using specific information set to an IC card, a hash 
value of the specific information may be computed so 
that it can be used as new specific information to be set 
to the IC card. 

[0078] Next, description will be made of a second 
embodiment of the present invention in which alteration 
of a signature log can be more effectively prevented. 
Each apparatus of a system in accordance with this 
embodiment basically has the same configuration as 
that for the first embodiment except for the components 
of signature logs 2235 stored in a signature log table 
2234. 

[0079] Although the same processes as those for 
the first embodiment, shown in Fig. 4, are performed 
when a purchaser side apparatus 3 acquires a digital- 
signature-attached message from a digital signer side 
apparatus 1 , the contents of specific signature genera- 
tion processing by the digital signer side apparatus 1 
are different, and so are the contents of specific signa- 
ture verification processing by the purchaser side appa- 
ratus 3. 

[0080] In the digital signer side apparatus 1 , a sig- 
nature generation processing section 221 1 generates a 
digital signature Sign N by applying a secret key 2232 to 
a set of a hash value h(MN-i) of a message Mn-i and a 
digital signature Sign N .-, (this set "(h(M N .-,) f Sign^-,)" is 
referred to as previous data P N .<,) included in a signa- 
ture log 2235 generated in the last (N-1th) signature 
generation processing, and to a hash value h(M N ) of a 
message Mn sent from a signature-attached message 
creation processing section 1 1 1 (S6102). When the ini- 
tial (first) signature is generated, an initial value IV, 
which is set as a value common to the entire system or 
a value specific to each apparatus, may be used as pre- 
vious data PO, or the initial previous data PO may be 
omitted. The signature generation processing section 
221 1 registers a signature log 2235 which is comprised 
of the previous data P N .-,, the hash value h(M N ) of the 
message, the digital signature Sign N , and the address 
of a purchaser side apparatus 3 that has made a trans- 
mission request, with the signature log table 
2234(S6103). The signature generation processing 
section 2211, then, sends the previous data P H .^, the 
digital signature Sign N , and a public key certificate 2233 
stored in an EEPROM 223 to the signature-attached 
message creation processing section 111. The signa- 



ture-attached message creation processing section 111 
creates a digital-signature-attached message by attach- 
ing the previous data P N _-| and the digital signature 
Sign N to the message M N to be transmitted, and trans- 

5 mits to the purchaser side apparatus 3 the digital-signa- 
ture-attached message with the public key certificate 
2233 attached thereto (S61 04). 
[0081] In the above embodiment, when the digital 
signature Sign N is generated, a hash value h(P N . 1 ) of 

w the previous data P N .! may be used instead of the pre- 
vious data itself. In this case, as data to be stored in the 
signature log table, the hash value h(P N .-,) of the previ- 
ous data P^m may also be used instead of the previous 
data itself. Furthermore, as previous data to be used for 

15 the Nth signature, the hash value h(M N . 1 ) of the mes- 
sage Mn.!, the digital signature Sign N . lf and, in addi- 
tion, a hash value h(P N . 2 ) of previous data P N _ 2 , which 
is used for the N-1th signature, are used as a three- 
component set. In addition, a hash function used to 

20 compute a hash value of previous data may be different 
from that used to compute a hash value of a message. 
It should be noted that when the previous data P^ can 
be computed from other data, as in the case where 
(h(M N . 1 ), Signisn) is used as the previous data P N . 1t 

25 instead of storing and then using P 4 (0<i<N-1), previous 
data may not be stored but calculated as necessary to 
save the data storage area. 

[0082] As a result of the above processing, each 
signature log 2235 stored in the signature log table 

30 2234 comprises previous data, a hash value of a mes- 
sage, and a digital signature as shown in Fig. 7. 
[0083] In the purchaser side apparatus 3, as a com- 
parison target at comparison step S6003, instead of 
using only a hash value computed from the message 

35 included in a digital-signature-attached message, a set 
of the hash value and the previous data included in the 
digital-signature-attached message is used. 
[0084] Next, referring to Fig. 8, description will be 
made of representative example processes in specific 

40 embodiments in which a purchaser side apparatus 3 
asks a digital signature verifier side apparatus 5 to verify 
a digital-signature-attached message acquired from a 
digital signer side apparatus 1. It should be noted that 
the following description explains an example of verifi- 

45 cation processes performed in the condition that the 
determination of Gorged** is disadvantageous to the 
signer. 

[0085] Processes at steps S11001, S1102, and 
S1 1003 in Fig. 8 are the same as those at steps S7001 , 

so S7002, and S7003 in Fig. 5, respectively. 

[0086] When a verification request processing sec- 
tion 312 has received a request for transmission of a 
digital-signature-attached message to be used as a ref- 
erence material from the digital signature verifier side 

55 apparatus 5 (S1 1 1 01), the section reads the digital-sig- 
nature-attached message acquired from the digital 
signer side apparatus 1 specified by the address 
attached to the request, from, for example, an external 
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storage device 33 or the like, and transmits the mes- 
sage to the digital signature verifier side apparatus 5 
(S11102). 

[0087] In the digital signature verifier side appara- 
tus 5, a signature verification processing section 51 1 s 
performs the first-stage verification, using the digital sig- 
nature included in the digital-signature-attached mes- 
sage and the public key of the public key certificate 
2233 attached to the digital-signature-attached mes- 
sage (S1 1201). When the signature is authenticated (if 10 
the result is OK at step S1 1202), the processes at steps 
S11203 and S11204, which are the same as those at 
steps S7103 and S7104, are performed. When the sig- 
nature is not authenticated (if the result is NG at step 
S11202), on the other hand, the process at step 15 
S1 1 214, which is the same as that at step S71 08, is per- 
formed. 

[0088] The signature verification processing section 
511 performs the second-stage verification of the dig- 
ital-signature-attached message. Specifically, the sec- 20 
tion checks whether a signature log that includes the 
digital signature and the previous data included in the 
digital-signature-attached message and a hash value of 
a message acquired at step S11201 is registered with 
an acquired signature log list (S1 1205). 25 
[0089] If the signature log is registered (if the result 
is OK at step S11206), the signature verification 
processing section 511 makes the same determination 
as that at step 71 06, and performs the third-stage verifi- 
cation of the digital-signature-attached message. Spe- 30 
ciftcaily, the signature verification processing section 
511 reads the message hash value and the digital sig- 
nature included in the signature log registered immedi- 
ately before the signature log corresponding to the 
verification target digital-signature-attached message in 35 
the signature log list acquired at step S11204. For 
example, in Fig. 7, when the Nth signature log includes 
the digital signature and the previous data included in 
the verification target digital-signature-attached mes- 
sage and the message hash value acquired at step 40 
1 1201 , the signature verification processing section 51 1 
reads the message hash value and the digital signature 
included in the N-1th signature log. The signature verifi- 
cation processing section 51 1 compares both the mes- 
sage hash value and the digital signature included in the 45 
immediately previous registered signature log, against 
the previous data included in the verification target dig- 
ital-signature-attached message. As described above, 
the previous data is comprised of the message hash 
value and the digital signature included in the immedi- so 
ately previous registered signature log (S1 1207). 
[0090] When they do not coincide (if the result is 
NG at step Si 1208), the signature verification process- 
ing section 51 1 authenticates that the signature log cor- 
responding to the verification target digital-signature- ss 
attached message has been altered, and transmits the 
results to the purchaser side apparatus 3 that has trans- 
mitted the verification request and to the digital signer 



side apparatus 1 specified by the address attached to 
the digital-signature-attached message (S11216). 
When they coincide (if the result is OK at step S1 1206), 
the section proceeds to step S1 1209. 
[0091] At step S11209, the signature verification 
processing section 51 1 sends a request for transmis- 
sion of a digital-signature-attached message to be used 
as a reference material, to the purchaser side apparatus 
3 specified by the purchaser address included in the 
signature log registered immediately before the signa- 
ture log corresponding to the verification target digital- 
signature-attached message, attaching the address of 
the digital signer side apparatus 1 that has transmitted 
the verification request, to the request, and waits for the 
message to be transmitted (S1 1 21 0). 
[0092] The signature verification processing section 
51 1 performs the fourth-stage verification of the digital- 
signature-attached message acquired as a reference 
material. 

[0093] Specifically, the section computes a hash 
value of the message included in the digital-signature- 
attached message acquired at step S1 1210. Then, the 
signature verification processing section 511 checks 
whether the digital signature and the previous data 
included in the digital-signature-attached message 
acquired at step S1 121 0 and the hash value of the mes- 
sage coincide with the contents of the signature log reg- 
istered immediately before the signature log 
corresponding to the verification target digital-signature- 
attached message, in the signature log list acquired at 
step S1 1204 (S11211). 

[0094] When they do not coincide (if the result is 
NG at step S1 1212), the signature verification process- 
ing section 51 1 determines that both the signature log 
corresponding to the verification target digital-signature- 
attached message and the immediately previous regis- 
tered signature log corresponding to the digital-signa- 
ture-attached message used as a reference material 
may have been altered, producing the third-stage verifi- 
cation result OK at step S11208, and transmits the 
results to the purchaser side apparatus 3 that has trans- 
mitted the verification request and to the digital signer 
side apparatus 1 specified by the address attached to 
the digital-signature-attached messages (S11217). 
When they coincide (if the result is OK at step S1 1212), 
on the other hand, the signature verification processing 
section 51 1 authenticates that the verification target dig- 
ital-signature-attached message has been generated 
by the digital signer side apparatus 1 that provided the 
signature log list and the message is valid, and trans- 
mits the results to the purchaser side apparatus 3 that 
has transmitted the verification request and to the digital 
signer side apparatus 1 specified by the address 
attached to the digital-signature-attached messages 
(S11213). In the digital signer side apparatus 1, the 
processes performed at steps S1 1301 through S1 1305 
are the same as those at steps S7201 through S7204. 
[0095] Next, referring to Fig. 9, description will be 
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made of representative example processes in specific 
embodiments in which a digital signer side apparatus 1 
asks the digital signature verifier side apparatus 5 to 
verify a digital-signature-attached message that the dig- 
ital signer side apparatus 1 has generated. 
[0096] In the digital signer side apparatus 1, the 
process performed at step S12001 is the same as that 
at step S8001, and at step S12002, processes at the 
flow of steps S11301 through S11305 shown in Fig. 8 
are performed. 

[0097] In the digital signature verifier side appara- 
tus 5, the processes performed at steps S12101 and 
S12102 are the same as those at steps S8101 and 
S81 02, and at step S1 21 03, the processes at the flow of 
steps S11201 through S1 1217 shown in Fig. 8 are per- 
formed. 

[0098] In a purchaser side apparatus 3, the proc- 
esses performed at steps S12201 and S12203 are the 
same as those at steps S8201 and S8202, and at 
S12204, processes at steps S11002 through S11003 
shown in Fig. 8 are performed. 

[0099] When the purchaser side apparatus 3 has 
received a request for transmission of a digital-sign a- 
ture-attached message to be used as a reference mate- 
rial from the digital signature verifier apparatus 5 (the 
process at step S12202 performed if the result is NO at 
step S12201), the verification request processing sec- 
tion 312 reads the digital-signature-attached message 
to be used as a reference material, acquired from the 
digital signer side apparatus 1 specified by the address 
attached to the request, and transmits the message to 
the digital signature verifier side apparatus 5 (S12205). 
[0100] In this embodiment, the validity of a digital- 
signature-attached message can be more surely 
checked. 

[0101] The third-stage signature verification 
according to the above embodiment checks the match- 
ing of the signature log corresponding to a verification 
target digital-signature-attached message, which is 
expressed as Nth signature log, with the immediately 
previous N-1th signature log (whether mutual consist- 
ency is maintained). Similarly, the matching of the N-1th 
signature log with the immediately previous N-2th sig- 
nature log may be further checked. By repeating this, 
mutual consistency of more signature logs included in a 
signature log list may be checked so as to more surely 
ensure the reliability of the signature log list. 
[0102] Further, in the third-stage signature verifica- 
tion according to the above embodiment, a series of an 
arbitrary number of signature logs including the signa- 
ture log corresponding to a verification target digital-sig- 
nature-attached message may be selected from the 
signature logs registered with the signature log table 
2234. And for the series of signature logs, the third- 
stage signature verification may check whether the pre- 
vious data included in a signature log coincides with the 
digital signature and the message hash value included 
in the immediately previous signature log in order to 



detect alteration of a signature log. 
[0103] Alteration of a signature log can also be 
detected by checking whether the message hash value 
of a digital-signature-attached message is reflected in 
s digital signatures included in one or more signature logs 
registered after the signature log corresponding to the 
digital-signature-attached message. 
[0104] In this embodiment, to forge a past elec- 
tronic signature, it is necessary to forge one or more 
w electronic signatures created before or after the crea- 
tion of the electronic signature to be forged, while main- 
taining their consistency. This increases the difficulty of 
forging a past electronic signature, making it difficult to 
attack on authorized business operators by forging their 
15 signatures. An authorized business operator also can 
put himself or herself in a position in which it is difficult 
for the operator to forge an alibi for any illegal conduct, 
which makes more persuasive to a mediator the asser- 
tion that the operator is not involved in any illegal con- 
20 duct when the operator has suffered a malicious attack. 
[0105] In the above embodiment, when the second- 
stage signature verification proves that signature data 
included in a verification target digital -signature- 
attached message is not included in a signature log list 
25 provided by the signer, it is determined that the digital 
signature to be verified is forged, while when the sec- 
ond-stage signature verification proves that the signa- 
ture data is included in the signature log list, the third- 
stage and the fourth-stage verifications are performed 
30 to verify the validity of the signature log list. This is 
because when the determination of "forged" is disad- 
vantageous to a signer who provides a signature log list, 
it is unthinkable for the signer to provide a forged signa- 
ture log list. 

35 [0106] In the case where the determination of "a 
signature is valid" is disadvantageous to a signer who 
provides a signature log list, on the other hand, when 
the second-stage signature verification proves that sig- 
nature data to be verified is included in a submitted sig- 
40 nature log list, it may be determined that the digital 
signature is valid, while when the signature data is not 
included in the signature log list, the third-stage and the 
fourth-stage verifications may be performed to verify the 
validity of the signature log list. 
45 [01 07] Or, after receiving a signature log list at step 
S11204, the signature verification processing section 
may first check the validity of the signature log list, and 
after the validity is confirmed, if signature data to be ver- 
ified is included in the valid signature log list, it may be 
so determined that the signature is valid. 

[01 08] When a signer cannot submit a signature log 
list in full to a verifier due to data corruption or some 
other reason, not all of the information provided by the 
submitted signature log list (with its some part missing) 
55 is generally reliable. However, by using the following 
method, it is possible to extract reliable signature logs 
from the sent information. 

[0109] In the digital signature verifier side appara- 
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tus 5, of the signature logs included in the submitted sig- 
nature log list, those that prove to be in areas which 
cannot be controlled by the signer itself, can be 
regarded as reliable signature logs. 
[0110] For example, signatures to be stored in the 5 
EEPROM 223 area as signature logs 2235 are automat- 
ically written when the signer generates the signatures 
by use of the IC card 22. Since this area is set so that it 
cannot be rewritten or deleted, the signer itself cannot 
control (alter) the area. Therefore, the logs correspond- 10 
ing to signatures stored in the EEPROM 223 area can 
be regarded as reliable. 

[0111] Similarly, the signature logs corresponding 
to signatures stored in the signature log management 
apparatus 9 or the like that is a reliable third party can is 
be regarded as reliable since the signer cannot control 
the signatures. 

[0112] Furthermore, the signature log correspond- 
ing to a signature made public by newspapers, broad- 
casting, or the like, so that it has become known to 20 
many and unspecified people at some time point before 
a signature verifier verifies it, for example, immediately 
after it is generated by a signer, can be also regarded as 
reliable since after the above time point, it is very difficult 
for the signer to do anything so that it looks as if the sig- 25 
nature had not existed, that is, the signer itself cannot 
control the past existence of the signature. 
[0113] When another purchaser who is disinter- 
ested owns a signature (for example, as a signature 
log), the signature log is also regarded as reliable. 30 
[0114] Further, if it is confirmed that a reliable sig- 
nature log and the signature log registered immediately 
before the reliable signature log match, that is, they are 
consistent with each other, the immediately previous 
signature log also can be regarded as a reliable, signa- 3s 
ture log. This is because, since in this invention a signa- 
ture log includes a hash value of the immediately 
previous message or signature, it is very difficult to forge 
the immediately previous signature log so that it coin- 
cides with a hash value included in a reliable signature 40 
log even when it has become easy to forge the digital 
signature itself due to disclosure of a secret key or some 
other reason. By repeating this procedure, that is, going 
back through a series of signature logs, starting from a 
reliable signature log, while confirming that each signa- 45 
ture log is consistent with the immediately previous one, 
the range of reliable signature logs included in a submit- 
ted log list can be determined since the range of signa- 
ture logs that are consistent with one another starting 
from a reliable signature log can be regarded as relia- so 
ble. 

[0115] According to above embodiment, a digital 
signer side apparatus 1 generates a digital signature by 
applying a secret key 2232 to a previous data P N . 1f and 
to a hash value of h(M N ) of a message M N . Similarly, a 55 
digital signer side apparatus 1 may generate a digital 
signature by applying a secret key 2232 to other data in 
addition to a previous data and a hash value of a mes- 



sage. For example, a digital signer side apparatus may 
generate a digital signature by applying a secret key 
2232 to a public key certificate 2233, which is sent to a 
purchaser side apparatus 3, or its hash value, and to a 
previous data, and to a hash value of a message. This 
makes it easy to prove later that the public key certifi- 
cate existed when the digital signature was generated. 
That is, because it is very difficult to forge the signature 
log, which is reflected by the public key certificate, so 
that its hash value coincides with a hash value included 
in immediately after signature log, this makes it easy to 
prove that there existed the public key certificate even 
when it has become easy to forge a certificate which 
was issued by certificate authority. Further, any data 
.which is intended to prove that it exists when the signa- 
ture is generated, may be used as well as a certificate. 
In order to be verified the signature by a purchaser side 
apparatus 3, the data, or modified data which makes it 
possible to verify the signature (e.g. a hash value of the 
data), is sent to a purchaser side apparatus 3 together 
with a message and a signature. 
[0116] As in the embodiments described herein 
above, a signature log table 2234 may be set in an 
external storage device 1 3 of a computer 21 , in addition 
to the EEPROM 223. 

[0117] Instead of setting the signature log table 
2234 in the EEPROM 223, the signature log manage- 
ment apparatus 9 may be provided to manage the sig- 
nature log table for each digital signer side apparatus 1 , 
as described earlier. 

[0118] As in the embodiments described herein 
above, this signature log management apparatus 9 may 
be created on the same computer as that on which the 
digital signature verifier side apparatus 5 resides. 
[0119] As in the embodiments described herein 
above, specific information (a serial number or the like) 
may be set to each IC card so that by using this informa- 
tion, specific data may be generated to guarantee that a 
signature has surely been generated by use of the IC 
card. 

[0120] When there is provided the signature log 
management apparatus 9, processes at the flow of 
steps S11207 and S11208 shown in Fig. 8 (the third- 
stage signature verification) may be performed by the 
signature log management apparatus 9 before register- 
ing a signature log with a signature log list so that only 
when the previous data included in the signature log 
coincides with the message hash value and the signa- 
ture included in the latest signature log data registered 
with the signature log list, is the signature log permitted 
to be registered with the signature log list. In this case, 
in the digital signature verifier side apparatus 5, the flow 
of steps S1 1207 and S1 1209 shown in Fig. 8 (the third- 
stage signature verification) can be omitted. 
[0121] As in the embodiments described herein 
above, a plurality of signature logs may be registered 
together at once with a signature log list managed by 
the signature log management apparatus 9. In this 
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case, in addition, a message indicating registration with 
the signature log list may be created, and a signature 
may be generated for this message so that the registra- 
tion with the signature log list is reflected in the signa- 
ture log list of the digital signer side apparatus 1 . 
[0122] Next, description will be made of a third 
embodiment, in which, in addition to the first embodi- 
ment, time information is further included in each digital 
signature so as to verify the validity of the digital signa- 
ture also using this time information. 
[0123] This system is configured so that a times- 
tamp issuing apparatus 8, which issues a timestamp for 
a digital signature sent from each digital signer side 
apparatus 1 , is added to a system according to the first 
embodiment shown in Fig. 1 . 

[0124] The schematic configuration of the times- 
tamp issuing apparatus 8 is the same as that shown in 
Fig. 2. 

[0125] An external storage device 13 stores a 
timestamp issuing program 831, which generates a 
timestamp by encrypting a digital signature and time 
data sent from a digital signer side apparatus 1 , a secret 
key 832 used to generate a timestamp, and a public key 
certificate 833 containing a public key paired with the 
secret key 832. These are loaded into a RAM 12, and 
are executed by a CPU 1 1 as a process called a times- 
tamp issuance processing section 811. 
[0126] Referring to Fig. 1 0, description will be made 
of representative example processes in specific embod- 
iments in which a purchaser side apparatus 3 acquires 
a digital-signature-attached message from a digital 
signer side apparatus 1. 

[0127] The digital signer side apparatus 1 performs 
processes at steps S6101 through S6103 shown in Fig. 
4 (S15101). A signature-attached message creation 
processing section 111 asks the timestamp issuing 
apparatus 8 to issue a timestamp by transmitting a dig- 
ital signature sent from a signature generation process- 
ing section 221 1 to the timestamp issuing apparatus 8 
(S15102). When the signature-attached message crea- 
tion processing section 111 has received a timestamp 
from the timestamp issuing apparatus 8 (S15103), the 
section creates a digital-signature-attached message 
by attaching the timestamp to a message to be transmit- 
ted, and transmits the time stamped message to the 
purchaser side apparatus 3 that has requested the 
transmission, attaching both the public key certificate 
2233 sent with the digital signature from the signature 
generation processing section 221 1 and the public key 
certificate 833 sent with the timestamp from the times- 
tamp issuing apparatus 8, to the time stamped message 
(S15104). 

[0128] In the timestamp issuing apparatus 8, upon 
receiving a digital signature from a digital signer side 
apparatus 1, the timestamp issuance processing sec- 
tion 811 generates a timestamp (S15201). Specifically, 
the section generates a timestamp by encrypting the 
digital signature sent from the digital signer side appara- 



tus 1, and time data indicating the reception time of the 
digital signature by use of the secret key 832 stored in 
an external storage device 83. The timestamp issuance 
processing section 811 attaches the public key certifi- 
5 cate 833 stored in the external storage device 83 to the 
generated timestamp, and transmits the certificate- 
attached timestamp to the digital signer side apparatus 
1 that has transmitted the digital signature (S15202). 
[0129] The purchaser side apparatus 3 acquires a 
io digital-signature-attached message by performing the 
processes at steps S6001 through S6002 shown in Fig. 
4 (S15001). Next, a signature-attached message acqui- 
sition processing section 31 1 acquires a digital signa- 
ture by decrypting the timestamp included in the 
15 received digital-signature-attached message, using the 
public key (the public key of the timestamp issuance 
apparatus 8) of a public key certificate 821 attached to 
the message (S15002). Then, the signature-attached 
message acquisition processing section 31 1 performs 
20 the processes at steps S6004 through S6006 to verify 
the digital signature (S15003). 

[01 30] Referring to Fig. 1 1 , description will be made 
of representative example processes in specific embod- 
iments in which a purchaser side apparatus 3 asks a 
25 digital signature verifier side apparatus 5 to verify a dig- 
ital-signature-attached message acquired from a digital 
signer side apparatus 1 . 

[0131] Incidentally, in this embodiment, it is 
assumed that when a digital signer, who is a user of a 
30 digital signer side apparatus 1 , has found that a secret 
key 2232 which the digital signer secretly holds has 
been disclosed and a third party may have illegally 
obtained the secret key, the digital signer notifies a dig- 
ital signature verifier of the disclosure, specifying its 
35 date and time. Then, the digital signature verifier stores 
the date and time given by the digital signer and the 
address of the digital signer side apparatus 1 used by 
the digital signer, as a set, in an external storage device 
53 of the digital signature verifier apparatus 5. 
40 [0132] A verification request processing section 
312 performs the processes at the flow of steps S7001 
through S7003 shown in Fig. 5 to acquire verification 
results from the digital signature verifier side apparatus 
5(S16001). 

45 [0133] In the digital signature verifier side appara- 
tus 5, when a signature verification processing section 
511 has received a request for verification of a digital- 
signature -attached message from a purchaser side 
apparatus 3, the section decrypts the timestamp 
so included in the digital-signature-attached message sent 
with the request, using the public key (the public key of 
the timestamp issuing apparatus 8) of the public key 
certificate 821 attached to the digital-signature-attached 
message to acquire time data and a digital signature 
55 (S16101). 

[0134] The signature verification processing section 
511 checks the external storage device 53 to see 
whether disclosure date and time of the secret key 2232 
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is set for the digital signer side apparatus 1 specified by 
the address attached to the digital-signature-attached 
message (S16102). When the disclosure date and time 
has been set, the signature verification processing sec- 
tion 511 proceeds to step S16103, while when no dis- 
closure date and time has been set, the section 
proceeds to step S16105 and performs the processes 
at steps S7101 through S7109 shown in Fig. 5. 
[0135] At step S16103, the signature verification 
processing section 51 1 checks whether the date and 
time indicated by the time data acquired at step S1 6101 
is later than the disclosure date and time set in the 
external storage device 53 (S16103). If it is later than 
the disclosure date and time, the signature verification 
processing section 511 determines that the digital-sig- 
nature-attached message to be verified is invalid, and 
transmits the results to the purchaser side apparatus 3 
that has transmitted the verification request and to the 
digital signer side apparatus 1 specified by the address 
attached to the digital-signature-attached message 
(S16104). If it is not later than the disclosure date and 
time, on the other hand, the section proceeds to step 
S16105 and performs the processes at steps S7101 
through S7109. 

[0136] In the digital signer side apparatus 1 , a veri- 
fication request processing section 112 performs the 
processes at steps S7201 through S7204 shown in Fig. 
5 (S16201). 

[0137] Next, description will be made of representa- 
tive example processes in specific embodiments in 
which a digital signer side apparatus 1 asks the digital 
signature verifier side apparatus 5 to verify a digital-sig- 
nature-attached message that the digital signer side 
apparatus 1 has generated. 

[0138] The digital signer side apparatus 1 performs 
the same processes as those at steps S8001 through 
S8002 shown in Fig. 6. 

[0139] In the digital signature verifier side appara- 
tus 5, when the signature verification processing section 
51 1 has received a request for verification of a digital- 
signature-attached message from a digital signer side 
apparatus 1 , the section asks the purchaser side appa- 
ratus 3 specified by the address sent with the request to 
transmit the digital-signature-attached message with 
the address of the digital signer side apparatus 1 that 
has transmitted the verification request, attached 
thereto, and waits for the message to be sent. Then, the 
signature verification processing section 51 1 performs 
the processes at steps S16101 through S16105 shown 
in Fig. 1 1 . 

[0140] The purchaser side apparatus 3 performs 
the same processes as those at steps S8201 through 
S8203 shown in Fig. 6. 

[0141] According to this embodiment, the digital 
signature verifier side apparatus 5 acquires a digital sig- 
nature and time data by decrypting the timestamp 
included in a digital-signature-attached message to be 
verified, using the public key of the time stamping 



authority side apparatus 8. By checking whether date 
and time indicated by this time data is later than disclo- 
sure date and time given by a digital signature genera- 
tor, it is possible to check the validity of the digital 

5 signature before verifying the digital signature, 

[0142] In the above embodiment, the digital signer 
side apparatus 1 may send a request for issuance of a 
timestamp at intervals (for example, once every m dig- 
ital signatures). To verify the validity of a digital-signa- 

w ture-attached message with no timestamp attached 
thereto, based on disclosure date and time given by a 
digital signature generator, the following method is 
used: 

[0143] After a digital signer side apparatus 1 asks 

15 the timestamp issuing apparatus 8 to issue a timestamp 
by sending a digital signature to the timestamp issuing 
apparatus 8, the digital signer side apparatus 1 includes 
the timestamp sent from the timestamp issuing appara- 
tus 8 into a signature log 2235 corresponding to the dig- 

20 ital signature to which the timestamp is applied, and 
registers the signature log 2235 with a signature log 
table 2234 as shown in Fig. 12. It should be noted that 
signature logs are registered with the signature log table 
2234 in the chronological order. 

25 [0144] The digital signature verifier apparatus 5 
searches the signature log table 2234 for a signature log 
which is registered before the signature log correspond- 
ing to a digital-signature-attached message to be veri- 
fied and which includes a timestamp, and decrypts the 

30 timestamp to acquire its time data. Since signature logs 
are registered with the signature log table 2234 in the 
chronological order, the digital-signature-attached mes- 
sage to be verified was generated after date and time 
indicated by the decrypted time data. Therefore, if dis- 

35 closure date and time given by the digital signer is ear- . 
lier than the date and time indicated by this decrypted 
time data, the digital-signature-attached message to be 
verified is determined to be invalid. 
[0145] Furthermore, in the second embodiment 

40 also, a timestamp can be used to determine the validity 
of a digital signature. Determination of the validity of a 
digital signature by use of a timestamp can be realized 
independently from the first embodiment and the sec- 
ond embodiment. 

45 [0146] Different from each of the above embodi- 
ments, a message itself may be included in each signa- 
ture log 2235 when the storage device storing the 
signature log table 2234 has spare capacity. 
[0147] Different from each of the above embodi- 

so ments, all processes to be performed by each digital 
signer side apparatus 1 may be performed inside a 
computer 21. 

[0148] Different from each of the above embodi- 
ments, various signing methods which use a digital sig- 
55 nature, a message (and previous data in the case of the 
second embodiment), and a public key paired with a 
secret key owned by a digital signer to authenticate 
whether said digital signature has been generated for 
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said message, can be applied to the present invention. 
[0149] As described above, the present invention 
can provide a digital signature technique which can dis- 
criminate a digital signature generated by a digital sig- 
nature generator from a digital signature generated by a 
third party posing as the digital signature generator. 
[0150] The preceding has been a description of the 
preferred embodiment of the invention. It will be appre- 
ciated that deviations and modifications can be made 
without departing from the scope of the invention, which 
is defined by the appended claims. 

Claims 

1 . A digital signing method, comprising: 

applying a secret key to a message to generate 
a digital signature for the message; 
distributing a digital-signature-attached mes- 
sage including the generated digital signature 
and the message; 

registering the digital-signature-attached mes- 
sage as log data with a log list; and 
providing said log list responsive to a request. 

2. The digital signing method of claim 1 , wherein said 
message is a hash value of another message. 

3. The digital signing method of claim 1 , wherein: 

said applying a secret key to a message to 
generate a digital signature for the message 
further comprises: 

applying said secret key to a message and 
data from a previously signed message 
retrieved from a recent log data registered in 
said log list to generate a digital signature for 
the message; and wherein: 
said distributing a digital-signature -attached 
message including the generated digital signa- 
ture and the message, further comprises: 
distributing a digital-signature-attached mes- 
sage including the generated digital signature, 
the data from a previously signed message, 
and the message. 

4. The digital signing method of claim 1 , wherein said 
log data further comprises a distribution destina- 
tion, and wherein: 

said registering log data of the digital-signa- 
ture-attached message with a log list further 
comprises: 

registering log data of a digital-signature- 
attached message with a log list, said log data 
including a distribution destination attached 
thereto. 



5. The digital signing method of claim 1 , said method 
further comprising: 

permitting registration of the log data with said 
5 log list only when the data from a previously 

signed message included in said digital-signa- 
ture-attached message is included in the latest 
log data registered with said log list. 

w 6. The digital signing method of claim 1 , further com- 
prising: 

obtaining a timestamp from a trusted authority, 
said timestamp generated by applying a sec- 
ond secret key to the digital signature, and a 
time; and 

said distributing a digital-signature-attached 
message including the generated digital signa- 
ture and the message, further comprises: 
distributing a digital-signature-attached mes- 
sage including the generated digital signature, 
the timestamp, and the message. 

7. A digital signature verifying method, comprising: 

accepting a digital-signature-attached mes- 
sage; 

acquiring a log list of a digital signer, wherein 
said digital-signature-attached message may 
have been distributed by said digital signer is to 
be verified; and 

checking whether log data of said digital-signa- 
ture-attached message is registered in said log 
list, and 

if the log data is registered in the log list, 
authenticating that the digital-signature- 
attached message was distributed by the dig- 
ital signer. 
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40 8. The digital signature verifying method of claim 7, 
said method further comprising: 

checking whether the digital signature included 
in the digital-signature-attached message has 
45 been generated for the message included in 

the digital-signature-attached message, using 
the digital signature and the message included 
in said digital-signature-attached message and 
a public key paired with a secret key of said dig- 
so ital signer. 

9. The digital signature verifying method of claim 7, 
wherein said digital-signature-attached message 
further comprises data from a previously signed 
55 message, said method further comprising: 

checking whether the digital signature included 
in the digital-signature-attached message has 
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been generated for the message included in 
the digital-signature-attached message, using 
the digital signature, the data from a previously 
signed message, and the message included in 
said digital-signature-attached message and a 5 
public key paired with a secret key of said dig- 
ital signer. 

10. The digital signature verifying method of claim 9, 
said method further comprising: 10 

checking whether data from a previously 
signed message included in said digital-signa- 
ture-attached message is included in the log 
data registered immediately before log data of 15 
said digital-signature-attached message in said 
log list, and if the data from a previously signed 
message is included in the immediately previ- 
ous registered log data, authenticating that 
said log list has not been altered. 20 

11. The digital signature verifying method of claim 7, 
wherein said log data further comprises a distribu- 
tion destination, said method further comprising: 

25 

acquiring a digital-signature-attached message 
from the distribution destination attached to the 
log data registered immediately before/after 
the log data of said digital-signature-attached 
message in said log list, and 30 
checking whether the acquired message is 
included in said immediately previous/subse- 
quent registered log data, and if the message is 
included, authenticating that said log list has 
not been altered. 35 

12. The digital signature verifying method of claim 7, 
wherein said digital-signature-attached message 
further comprises a timestamp created using a sec- 
ond secret key, said method further comprising: 40 

acquiring a digital signature and a time data by 
applying a public key paired with said second 
secret key to the timestamp included in said 
digital-signature-attached message; and 45 
checking whether date and time indicated by 
the acquired time data exceeds a date and time 
of signing of said digital-signature-attached 
message, and if the date and time indicated by 
the time data does not exceed the date and so 
time of signing of said digital-signature- 
attached message, authenticating the validity 
of the acquired digital signature. 

1 3. A digital signing apparatus, comprising: 55 

a processor; and 

a storage medium; wherein said processor 



applies a secret key to a message to generate 
a digital signature for the message; and 
wherein 

said processor prepares a digital-signature- 
attached message including the generated dig- 
ital signature and the message; and wherein 
said processor registers log data of said digital- 
signature-attached message with a log list in 
said storage medium. 

14. The digital signing apparatus of claim 13, wherein, 
said message is a hash value of another message. 

15. The digital signing apparatus of claim 13, wherein 

said processor applies said secret key to a 
message and data from a previously signed 
message retrieved from a recent log data regis- 
tered in said log list to generate a digital signa- 
ture for the message; and wherein 
said processor prepares a digital-signature- 
attached message that includes the generated 
digital signature, the message and the data 
from a previously signed message; and 
wherein 

said processor registers log data of a digital- 
signature-attached message including the gen- 
erated digital signature, the message, and the 
data from a previously signed message, with 
said log list. 

16. The digital signing apparatus of claim 13, wherein 
said log data further comprises a distribution desti- 
nation, and wherein: 

said processor registers log data of a digital- 
signature-attached message with a log list, 
said log data including a distribution destination 
attached thereto. 

17. The digital signing apparatus of claim 13, wherein: 

registration of the log data with said log list is 
permitted only when the data from a previously 
signed message included in said digital-signa- 
ture-attached message is included in the latest 
log data registered with said log list. 

18. The digital signing apparatus of claim 13, wherein: 

said processor obtains a timestamp from a 
trusted authority, said timestamp generated by 
applying a second secret key to the digital sig- 
nature, and a time; and 

said processor prepares said digital-signature- 
attached message including the generated dig- 
ital signature, the timestamp, and the message. 
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19. The digital signing apparatus of claim 13, further 
comprising: an interface configured to be connecta- 
ble to a computer. 

20. The digital signing apparatus of claim 19, wherein: 

if a number of the log data registered with the 
log list exceeds a particular value, said proces- 
sor outputs at least one of a plurality of log data 
registered with the log list to said computer, 
whereupon said computer registers said at 
least one of a plurality of log data with a second 
log list prepared in said computer, and there- 
upon, 

said processor deletes said at least one of a 
plurality of log data from said log list in said 
storage medium. 

21 . A digital signature verifying apparatus, comprising: 

a processor interconnected with an input 
device, wherein: 

said input device accepts a digital-signature- 
attached message to be verified and a log list 
of a digital signer; and wherein 
said processor checks whether log data of said 
digital-signature-attached message is regis- 
tered with said log list, and 
if the log data is registered with the log list, 
authenticates that the digital-signature- 
attached message has been generated by said 
digital signer. 

22. A digital signature verifying apparatus of claim 21, 
wherein: 

said processor authenticates whether the dig- 
ital signature included in said digital-signature- 
attached message has been generated for the 
message included in the digital-signature- 
attached message, using the digital signature 
and the message included in said digital-signa- 
ture-attached message and a public key paired 
with a secret key of said digital signer. 

23. A digital signature verifying apparatus of claim 21 , 
wherein said digital -signature-attached message 
further comprises data from a previously signed 
message, and wherein 

said processor authenticates whether the dig- 
ital signature included in said digital-signature- 
attached message has been generated for the 
message included in the digital-signature- 
attached message, using the digital signature, 
the data from a previously signed message, 
and the message included in said digital-signa- 
ture-attached message and a public key paired 



with a secret key of said digital signer. 

24. A digital signature verifying apparatus of claim 23, 
wherein 

said processor checks whether the data from a 
previously signed message included in said 
digital-signature-attached message is included 
in the log data registered immediately before 
the log data of said digital-signature-attached 
message in said log list, and if the data from a 
previously signed message is included in the 
immediately previous registered log data, said 
processor authenticates that said log list has 
r5 not been altered. 

25. The digital signature verifying apparatus of claim 
21 , wherein said log data further comprises a distri- 
bution destination, and wherein: 

20 

said processor acquires a digital-signature- 
attached message from the distribution desti- 
nation attached to the log data registered 
immediately before/after the log data of said 
25 digital-signature-attached message in said log 

list, and wherein 

said processor checks whether the acquired 
message is included in said immediately previ- 
ous/subsequent registered log data, and if the 
30 message is included, said processor authenti- 

cates that said log list has not been altered. 

26. The digital signature verifying apparatus of claim 
21, wherein said digital-signature- attached mes- 

35 sage further comprises a timestamp created using 
a second secret key, and wherein: 

said processor acquires a digital signature and 
a time data by applying a public key paired with 
40 said second secret key to the timestamp 

included in said digital-signature-attached 
message; and wherein 

said processor checks whether date and time 
indicated by the acquired time data exceeds a 

45 date and time of signing of said digital-signa- 

ture-attached message, and if the date and 
time indicated by the time data does not 
exceed the date and time of signing of said dig- 
ital-signature-attached message, said proces- 

50 sor authenticates the validity of the acquired 

digital signature. 

27. A computer program product for creating a digital 
signature, said program product comprising: 

55 

code that applies a secret key to a message to 
generate a digital signature for the message; 
code that prepares a digital-signature-attached 



18 



35 



EP 1 094 424 A2 



36 



message including the generated digital signa- 
ture and the message; 

code that registers log data of said digital-sig- 
nature-attached message with a log list in said 
storage medium; and 5 
a computer readable storage medium for 
embodying the codes. 

28. A computer program product of claim 27, wherein 

the computer readable storage medium is a compu- to 
ter readable medium for storing the codes. 

29. A computer program product of claim 27, wherein 
the computer readable storage medium is a compu- 
ter readable medium for transmitting the codes. 15 

30. A computer program product for verifying a digital 
signature, said computer program product compris- 
ing: 

20 

code that accepts a digital-signature-attached 
message and a log list from a digital signer; 
and 

code that checks whether log data of said dig- 
ital-signature-attached message is registered 25 
with said log list, and if the log data is regis- 
tered with the log list, authenticates that the 
digital-signature-attached message has been 
generated by said digital signer; and 
a computer readable storage medium for stor- 30 
ing the codes. 

31. A digital timestamp issuing apparatus, comprising: 

a processor and an interface, wherein 35 
said processor generates a timestamp by 
applying a secret key to data received by said 
interface, said data comprising a digital signa- 
ture sent from a digital signer, and a reception 
time of the digital signature; and wherein 40 
said processor transmits said timestamp to 
said digital signer using said interface. 

32. A digital signing system, said system comprising: 

45 

a digital signing apparatus; 

a timestamp issuing apparatus; 

said digital signing apparatus comprising: 

a processor and a communication interface, 

wherein said processor applies a first secret so 

key to a message or its hash value to generate 

a digital signature; and 

said processor transmits said digital signature 
to said timestamp issuing apparatus by said 
communication interface and acquires a times- 55 
tamp in response; and wherein 
said processor attaches the acquired times- 
tamp to said message to create a digital-signa- 



ture-attached message; and 

said timestamp issuing apparatus comprising: 

a processor and a communication interface, 

wherein 

said processor generates a timestamp by 
applying a second secret key to data which 
includes the digital signature sent by said dig- 
ital signing apparatus, and a reception time of 
the digital signature; and wherein said proces- 
sor 

transmits said timestamp to said digital signing 
apparatus. 

33. The digital signing system of claim 32, said system 
further comprising: 

a digital signature verifying apparatus compris- 
ing: 

a processor interconnected with an input 
device, wherein 

said input device accepts a digitai-signature- 
attached message to be verified; and wherein 
said processor acquires a digital signature and 
time data by applying a public key paired with 
the secret key of the timestamp apparatus to 
the timestamp included in said digital-signa- 
ture-attached message; and thereupon, 
said processor checks whether date and time 
indicated by the time data exceeds expiration 
date and time assigned at said digital signing 
apparatus, and when the date and time indi- 
cated by the time data does not exceed the 
expiration date and time, said processor 
authenticates the validity of the said digital sig- 
nature; and thereupon, 

said processor authenticates whether said dig- 
ital signature included in said digital-signature- 
attached message has been generated for the 
message included in said digital-signature- 
attached message, using said digital signature, 
the message included in said digital-signature- 
attached message, and a public key paired with 
the secret key of the digital signing apparatus. 
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